GDPR Fines and Penalties: Complete Guide (2026)

GDPR Article 83 sets two penalty tiers: up to EUR 10 million or 2% of global annual turnover for organizational violations, and up to EUR 20 million or 4% for breaches of core processing principles, data subject rights, or transfer requirements, whichever is higher.

The GDPR gives European data protection authorities the power to impose substantial administrative fines on organizations that violate its provisions. Since the regulation took effect on May 25, 2018, supervisory authorities across the EU have issued more than 2,800 fines totaling over EUR 7.1 billion.

This guide explains the penalty structure in detail, covers the EDPB methodology for calculating fines, analyzes the landmark Deutsche Wohnen ruling on corporate liability, lists the largest fines and their current status, and covers consequences beyond fines including civil compensation claims under Article 82. For an overview of the regulation itself, see our guide to What Is GDPR.

This article is for informational purposes only and does not constitute legal advice. Consult a qualified data protection attorney or privacy professional for guidance specific to your situation.

Quick Answer: What Are the GDPR Penalties?

GDPR penalties fall into two tiers under Article 83.

For the more serious violations (breaches of core processing principles, data subject rights, consent rules, and international transfer requirements), the maximum is EUR 20 million or 4% of the organization's total worldwide annual turnover, whichever is higher.

For organizational and procedural violations (failing to maintain records, not appointing a DPO when required, inadequate breach notification), the maximum is EUR 10 million or 2% of global annual turnover, whichever is higher.

For large multinationals, the percentage cap vastly exceeds the fixed euro amount. A company with EUR 30 billion in annual revenue faces a potential ceiling of EUR 1.2 billion at the 4% tier, precisely the amount imposed on Meta in 2023.

Beyond fines, authorities can ban processing, order data erasure, impose compliance remediation orders, and suspend international data transfers. Individuals can also claim compensation directly from controllers and processors for material and non-material damage under Article 82.

The Two-Tier Fine Structure Under Article 83

Article 83 of the GDPR establishes the two-tier maximum fine framework. The applicable tier depends entirely on which provision was violated.

Lower Tier: Up to EUR 10 Million or 2% of Global Turnover

The lower tier applies to violations of the controller and processor obligations set out in Articles 8, 11, 25 through 39, 42, and 43. These are primarily organizational and procedural requirements:

• Failing to maintain records of processing activities (Article 30)
• Not conducting a required Data Protection Impact Assessment (Article 35)
• Failing to appoint a DPO when one is required (Article 37)
• Deficient breach notification procedures (Article 33)
• Failures by certification bodies and monitoring bodies

These violations are serious, but they are treated as less severe than breaches of the fundamental principles governing how personal data may be used.

Upper Tier: Up to EUR 20 Million or 4% of Global Turnover

The upper tier applies to violations of the provisions that sit at the heart of the GDPR's data protection framework:

• The basic principles for processing and conditions for lawful processing (Articles 5, 6, 7, 9)
• Data subject rights: access, rectification, erasure, restriction, portability, and objection (Articles 12 through 22)
• International data transfer rules (Articles 44 through 49)
• National law provisions adopted under Chapter IX
• Non-compliance with a binding order from a supervisory authority

The fine is always whichever amount is higher within the relevant tier. For a company with EUR 10 billion in global annual revenue, 4% yields a EUR 400 million ceiling, twenty times the EUR 20 million fixed maximum.

The Fault Requirement: The Deutsche Wohnen Ruling

A significant question in early GDPR enforcement was whether fines could be imposed on companies under a strict liability standard, or only where the infringement was intentional or negligent.

The CJEU resolved this in its December 5, 2023 judgment in Case C-807/21 (Deutsche Wohnen). The case arose from a EUR 14.5 million fine imposed by the Berlin data protection authority on a real estate company for retaining tenant data after it was no longer needed.

The CJEU made three important rulings.

First, a fault requirement applies: GDPR administrative fines may only be imposed where the infringement was committed intentionally or negligently. Strict liability is incompatible with Article 83. This brought an end to the argument that companies could be fined for violations they had no reasonable means to identify or prevent.

Second, no identified natural person is needed: Authorities do not need to attribute the infringement to a specific identified individual within the organization before imposing a fine on the legal entity. A company can be fined directly based on the conduct of its organs, employees, or agents, without a separate finding against a named person.

Third, companies are fined as undertakings: For calculating fine ceilings, a controller is treated as an "undertaking" in the competition-law sense. This means the ceiling is calculated against the entire economic unit's worldwide turnover: not just the subsidiary or entity that was the direct controller. Parent-company revenues are included.

The ruling matters in practice because it shapes both how authorities approach fine investigations and how companies can defend against them. Demonstrating that a violation was non-negligent (through documented reasonable compliance efforts) is now a viable defense.

How GDPR Fines Are Calculated: EDPB Guidelines 04/2022

The EDPB Guidelines 04/2022 on the calculation of administrative fines establish a five-step methodology that supervisory authorities across all EU member states follow. The guidelines were finalized in June 2023 following public consultation.

The methodology is not an automated formula. Fines remain a matter of supervisory discretion within the steps, but the framework creates consistency across jurisdictions.

Step 1: Identify Processing Operations and Applicable Provisions

The authority identifies which processing operations are at issue and which GDPR provisions were infringed. Where multiple infringements arise from the same set of processing operations, Article 83(3) applies: a single fine is imposed for the most serious violation rather than separate fines for each breach. This prevents the artificial multiplication of penalties for what is functionally one course of conduct.

Step 2: Determine the Starting Amount

The starting amount reflects three variables.

Nature of the infringement: Which tier of Article 83 applies? Is the violated provision central to data subjects' fundamental rights, or is it an organizational procedure?

Gravity: How severe is the infringement in concrete terms: the number of data subjects affected, the sensitivity of the data involved (special category data such as health or biometric data is treated more seriously), the financial or other harm suffered, and the geographic scope.

Duration: How long did the infringement continue? A violation discovered and remediated within days is treated differently from one that persisted for years.

The starting amount is also calibrated against the turnover of the undertaking. A fine that would be dissuasive for an SME would be negligible for a multinational, so the absolute figure scales with organizational size.

Step 3: Evaluate Aggravating and Mitigating Circumstances

Article 83(2) lists specific factors that authorities must weigh. These push the calculated amount up or down:

Cooperation is one of the most practically significant factors. Organizations that engage transparently, implement remediation quickly, and respond fully to information requests consistently receive lower fines than those that delay or obstruct.

Step 4: Apply the Legal Maximum

The calculated amount is checked against the applicable ceiling for the relevant tier. The fine cannot exceed the maximum regardless of how severe the circumstances are.

Step 5: Assess Effectiveness, Proportionality, and Dissuasiveness

The final figure must satisfy three requirements under Article 83(1): effective (capable of ensuring compliance), proportionate (not excessive relative to the violation and the organization's circumstances), and dissuasive (capable of deterring future violations). The authority may adjust the amount if it does not meet all three requirements.

The Amazon annulment in March 2026 illustrates this step's importance: the Luxembourg court found the CNPD had skipped the proportionality analysis, which was sufficient to annul the fine entirely.

Article 83(2): The Full List of Factors

Article 83(2) specifies eleven factors that supervisory authorities must take into account. These map directly to what organizations can document:

1. Nature, gravity, and duration of the infringement
2. Whether the infringement was intentional or negligent
3. Actions taken to mitigate damage
4. Degree of responsibility, given the technical and organizational measures under Articles 25 and 32
5. Relevant prior infringements by the controller or processor
6. Degree of cooperation with the supervisory authority
7. Categories of personal data affected
8. How the authority became aware of the infringement (self-reported vs. discovered via complaint)
9. Whether measures under Article 58(2) were previously ordered against the same controller
10. Adherence to approved codes of conduct (Article 40) or certification mechanisms (Article 42)
11. Any other applicable aggravating or mitigating factor

The Largest GDPR Fines and Their Current Status

The following table covers the ten largest GDPR fines issued to date. Appeal status is verified as of May 2026.

Key Case Notes

Meta EUR 1.2 billion (May 2023). The Irish DPC imposed this record fine following an EDPB binding decision. Meta transferred EU Facebook user data to the US under Standard Contractual Clauses, but the EDPB found that SCCs could not adequately protect EU data given US surveillance laws. Meta appealed to the EU General Court; the appeal was formally unlocked following a CJEU procedural ruling in early 2026 and remains pending. Meta adopted the EU-US Data Privacy Framework as a transfer mechanism going forward, but this does not retroactively cure the historical violation.

Amazon EUR 746 million (2021, annulled March 2026). Luxembourg's CNPD imposed this fine for Amazon's use of "legitimate interests" as the legal basis for behavioral advertising. On March 12, 2026, Luxembourg's Administrative Court annulled the fine. The court found the CNPD had failed to conduct the fault analysis required by Deutsche Wohnen and had not properly assessed proportionality: specifically, whether a less severe measure was appropriate. The court endorsed the substantive finding that Amazon's legal basis was invalid. The case was referred back to the CNPD. Amazon may still face a new fine following a compliant reassessment.

TikTok EUR 530 million (May 2, 2025). The Irish DPC fined TikTok EUR 45 million for failing to inform EEA users about possible access to their data from China (Article 13 violation) and EUR 485 million for transferring EEA user data to China without effective safeguards under Article 46. The DPC also ordered TikTok to suspend the transfers within six months. TikTok filed an appeal at the Irish High Court in May 2025. In November 2025, the court stayed the data-transfer suspension order pending the appeal, meaning TikTok does not have to halt China transfers while proceedings continue. The EUR 530 million fine itself has not been stayed.

LinkedIn EUR 310 million (October 2024). The Irish DPC found that LinkedIn relied on invalid consent, illegitimate interests, and illegitimate contractual necessity as legal bases for behavioral analysis and advertising. LinkedIn filed a High Court appeal arguing the fine was disproportionate. The appeal is pending.

Uber EUR 290 million (August 2024). The Dutch AP fined Uber for transferring EU driver data (including criminal history, medical data, and location information) to Uber's US headquarters without any transfer mechanism for over two years. Uber has appealed; proceedings may take up to four years.

Why Ireland Dominates the Largest Fines

Six of the top ten fines were issued by Ireland's Data Protection Commission. The GDPR's one-stop-shop mechanism assigns primary supervisory authority to the DPA in the member state where a company has its main EU establishment. Meta, Google, Apple, TikTok, LinkedIn, and Microsoft all chose Dublin, making the Irish DPC their lead authority. The DPC's enforcement pace accelerated after 2022, following sustained pressure from the EDPB and other EU authorities who objected to what they regarded as under-enforcement of major technology platforms.

Consequences Beyond Fines

Administrative fines are the most visible GDPR enforcement tool, but supervisory authorities have a broad corrective powers toolkit under Article 58(2), and individuals have independent civil compensation rights under Article 82.

Corrective Powers Under Article 58(2)

Supervisory authorities can issue any of the following, separately from or in addition to a fine:

• Warnings and reprimands: Used for less serious violations or first-time offenders
• Orders to comply: Requiring the controller or processor to bring processing into conformity within a specified period
• Temporary or permanent processing bans: Prohibiting specific processing activities
• Orders to erase data: Requiring deletion of personal data collected in violation of the GDPR
• Suspension of data transfers: Prohibiting transfers of personal data to a third country
• Orders to notify data subjects: Requiring notification of individuals where the controller has failed to do so

Processing bans and transfer suspensions can be existential for companies whose business depends on the affected activities. TikTok obtained a court stay of the Irish DPC's transfer suspension order precisely because halting China transfers was considered more operationally damaging than the EUR 530 million fine. The order involved no money; it was the operational consequence that drove litigation.

Civil Compensation Under Article 82

Article 82 gives any person who has suffered material or non-material damage as a result of a GDPR infringement the right to seek compensation from the controller or processor responsible. Both the controller and any involved processor are liable jointly; a processor can escape liability only by showing it bears no fault.

The CJEU clarified the scope of Article 82 in its May 2023 judgment in Case C-300/21 (Österreichische Post). Three principles emerged.

Three conditions must all be met: an infringement of the GDPR, actual damage suffered, and a causal link between the infringement and the damage. An infringement without proven damage does not entitle the claimant to compensation.

No minimum seriousness threshold for non-material damage: Article 82 does not require that emotional distress or anxiety reach a particular severity before qualifying for compensation. Member states may not impose their own seriousness threshold.

Compensation amounts are determined by national law, subject to EU principles of equivalence and effectiveness. Awards vary significantly across member states.

In practice, Article 82 claims are brought alongside regulatory enforcement, through representative proceedings, or in standalone civil litigation. Regulatory fines and civil compensation claims can proceed simultaneously, creating dual-track liability for the same GDPR violation.

Enforcement Trends: 2024 to 2026

2025 Statistics and EDPB Annual Report

The EDPB published its 2025 Annual Report in April 2026. National data protection authorities issued a combined EUR 1.15 billion in fines during 2025, nearly entirely driven by the Irish DPC's TikTok decision. The cumulative total since May 2018 has exceeded EUR 7.1 billion across more than 2,800 penalties.

The EDPB's 2025 Coordinated Enforcement Framework (CEF) action focused on the right to erasure under Article 17. Thirty-two DPAs participated, examining 764 controllers across Europe ranging from SMEs to large corporations and public bodies.

The CEF 2026 action targets transparency and information obligations under Articles 13 and 14, examining whether organizations provide data subjects with clear, complete, and accessible privacy notices. Organizations with generic or incomplete privacy policies face elevated scrutiny in 2026.

Where Enforcement Is Focused

Several patterns characterize enforcement from 2024 through 2026.

International data transfers remain the highest-risk area. The top three fines by value all involve transfers of EU personal data to countries without an adequacy decision. The EU-US Data Privacy Framework, adopted in July 2023, provides a legal mechanism for certified companies, but its validity remains contested in EU courts. For transfers to China and other countries, no adequacy decision exists and the scrutiny is intense.

Behavioral advertising and invalid legal bases. The finding that "legitimate interests" and "contractual necessity" cannot support behavioral profiling and targeted advertising has now generated significant fines against Meta, Amazon, LinkedIn, and others. Companies whose revenue model depends on behavioral advertising face ongoing exposure unless they obtain specific, valid consent.

AI and data processing. The EDPB's April 2025 opinion clarified that large language models rarely achieve GDPR-compliant anonymization. Controllers deploying third-party AI tools that process personal data must assess their legal basis and document a legitimate interests assessment where applicable.

Governance failures, not just incident outcomes. Enforcement has shifted toward penalizing structural deficiencies (absent encryption, weak vendor management, inadequate access controls) regardless of whether a breach has actually occurred.

GDPR Omnibus IV: Proposed Reforms

In November 2025, the European Commission published the Omnibus IV package, which proposes targeted amendments aimed at reducing administrative burden. Key proposals include extending record-keeping exemptions under Article 30 to organizations with fewer than 750 employees (currently 250), and extending SME-specific provisions to "small mid-cap enterprises."

The EDPB and EDPS welcomed some aspects while requesting clarifications. The package is not expected to be formally adopted before late 2026 at the earliest. The fine structure under Article 83 is not affected by the current proposals.

How to Reduce Your Risk of GDPR Fines

Supervisory authorities weigh compliance posture, cooperation, and remediation when calculating fines. The following steps both prevent violations and reduce penalties if a violation occurs.

Document Everything

The GDPR's accountability principle (Article 5(2)) requires organizations to demonstrate compliance, not merely to comply. Maintain records of processing activities, completed DPIAs, legal basis assessments, staff training logs, vendor contracts with Article 28 terms, and updated privacy policies. Documentation is evidence of good faith and serves directly as a mitigating factor.

Respond to Incidents Immediately

When a breach or compliance failure occurs, speed matters. The 72-hour breach notification window is a legal obligation, but rapid response is also mitigating. Immediate remediation, prompt notification to the supervisory authority, and transparent communication all weigh in the organization's favor. See our guide on the GDPR 72-hour breach notification rule for the full reporting process.

Cooperate With Supervisory Authority Investigations

Organizations that respond promptly to information requests, grant access for inspections, and implement recommended changes consistently receive lower fines than those that delay or litigate at every step. Full cooperation is explicitly listed as a mitigating factor under Article 83(2)(f).

Audit International Data Transfers

Given that the three largest GDPR fines all involve cross-border transfers, mapping every outbound data flow and verifying valid transfer mechanisms is a high-priority compliance task. Standard Contractual Clauses must be accompanied by a Transfer Impact Assessment for transfers to countries without an adequacy decision.

Validate Legal Bases for Advertising and Analytics

The wave of fines against Meta, Amazon, LinkedIn, and others for invalid legal bases in behavioral advertising demonstrates that legitimate interests is not a safe harbor for profiling and targeted advertising. Organizations relying on this basis for analytics or advertising should have their assessments reviewed by counsel experienced in GDPR enforcement.

Invest in Staff Training and Privacy by Design

Many violations stem from employee errors or products built without data-minimization principles. Regular, documented training and privacy-by-design review of new products and features reduce both the likelihood of violations and the negligence finding that would aggravate a fine under Deutsche Wohnen.

Use the GDPR Compliance Checklist

Our GDPR compliance checklist covers all key obligations in a structured format. Organizations with documented compliance programs are better positioned to demonstrate the accountability that supervisory authorities require.

More GDPR Guides

• What Is GDPR for a comprehensive overview of the regulation and its scope
• GDPR Compliance Checklist for a step-by-step compliance guide for organizations
• GDPR Data Subject Rights for all eight individual rights and how to respond to them
• GDPR Consent Requirements for what constitutes valid consent under Article 7
• GDPR Breach Notification 72-Hour Rule for breach reporting obligations and timelines
• GDPR for Small Businesses for SME-specific compliance guidance
• EU Data Privacy Laws for the complete EU data protection framework overview